Andrew Stuart writes:
From a security perspective should even salted and hashed passwords should stay behind the API or might there be a need for something on the other side of the API to access that field?
At present the REST API is available only on localhost (at least by default), so it's not that big a risk (yes, I understand defense in depth, but there's a need of corresponding importance). In the absence of a proper authz/authn module inside of Mailman itself, I don't see a real alternative to making that data available to mailman.client, and thus making it possible for other user apps (HyperKitty, Postorius) to get authorization to access a specific user's data.
In the long run we need to do something about this. However, Mailman has operated based on passing around *cleartext* passwords by *email* for decades, with no serious issues that I know of.
If Barry is serious about World Domination, we need to fix this, but I don't see a huge hurry.
Steve